Sneed-Reactivity/yara-Neo23x0/gen_zoho_rcef_logs.yar

28 lines
946 B
Text
Raw Permalink Normal View History

rule EXPL_Zoho_RCE_Fix_Lines_Dec21_1 {
meta:
description = "Detects lines in log lines of Zoho products that indicate RCE fixes (silent removal of evidence)"
author = "Florian Roth (Nextron Systems)"
reference = "https://twitter.com/cyb3rops/status/1467784104930385923"
date = "2021-12-06"
score = 65
id = "633287e3-a377-5b3c-8520-a7790168eff5"
strings:
// we look for the RCE Fixes
$s1 = "RCEF="
// we try to find a line which states that the attack is active (compromised host)
$sa1 = "\"attackStatus\"\\:\"active\""
$sa2 = "\"attackStatus\":\"active\""
// we try to find a line in which the RCE fix deleted a file (compromised host)
$sd1 = "deletedCount"
$sd_fp1 = "\"deletedCount\"\\:0"
$sd_fp2 = "\"deletedCount\":0"
condition:
filesize < 6MB and $s1 and (
1 of ($sa*) or
( $sd1 and not 1 of ($sd_fp*) )
)
}